security/wpa_supplicant: Add security patch set 2016-1

A vulnerability was found in how hostapd and wpa_supplicant writes the
configuration file update for the WPA/WPA2 passphrase parameter. If this
parameter has been updated to include control characters either through
a WPS operation (CVE-2016-4476) or through local configuration change
over the wpa_supplicant control interface (CVE-2016-4477), the resulting
configuration file may prevent the hostapd and wpa_supplicant from
starting when the updated file is used. In addition for wpa_supplicant,
it may be possible to load a local library file and execute code from
there with the same privileges under which the wpa_supplicant process
runs.

These patches were developed upstream and published as a response
to the security advisories CVE-2016-4476 and CVE-2016-4477.

PR:		209564
Requested by:	Sevan Janiyan
This commit is contained in:
John Marino 2016-05-19 21:12:07 +00:00
parent 2f60f47b95
commit 5c93ecbe9e
Notes: svn2git 2021-03-31 03:12:20 +00:00
svn path=/head/; revision=415527
6 changed files with 310 additions and 1 deletions

View File

@ -2,7 +2,7 @@
PORTNAME= wpa_supplicant
PORTVERSION= 2.5
PORTREVISION= 1
PORTREVISION= 2
CATEGORIES= security net
MASTER_SITES= http://w1.fi/releases/

View File

@ -0,0 +1,76 @@
From ecbb0b3dc122b0d290987cf9c84010bbe53e1022 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 4 Mar 2016 17:20:18 +0200
Subject: [PATCH 1/5] WPS: Reject a Credential with invalid passphrase
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a Credential received from a WPS Registrar both as
STA (Credential) and AP (AP Settings) if the credential is for WPAPSK or
WPA2PSK authentication type and includes an invalid passphrase.
This fixes an issue where hostapd or wpa_supplicant could have updated
the configuration file PSK/passphrase parameter with arbitrary data from
an external device (Registrar) that may not be fully trusted. Should
such data include a newline character, the resulting configuration file
could become invalid and fail to be parsed.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
src/utils/common.c | 12 ++++++++++++
src/utils/common.h | 1 +
src/wps/wps_attr_process.c | 10 ++++++++++
3 files changed, 23 insertions(+)
--- src/utils/common.c
+++ src/utils/common.c
@@ -697,6 +697,18 @@ int is_hex(const u8 *data, size_t len)
}
+int has_ctrl_char(const u8 *data, size_t len)
+{
+ size_t i;
+
+ for (i = 0; i < len; i++) {
+ if (data[i] < 32 || data[i] == 127)
+ return 1;
+ }
+ return 0;
+}
+
+
size_t merge_byte_arrays(u8 *res, size_t res_len,
const u8 *src1, size_t src1_len,
const u8 *src2, size_t src2_len)
--- src/utils/common.h
+++ src/utils/common.h
@@ -488,6 +488,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
char * wpa_config_parse_string(const char *value, size_t *len);
int is_hex(const u8 *data, size_t len);
+int has_ctrl_char(const u8 *data, size_t len);
size_t merge_byte_arrays(u8 *res, size_t res_len,
const u8 *src1, size_t src1_len,
const u8 *src2, size_t src2_len);
--- src/wps/wps_attr_process.c
+++ src/wps/wps_attr_process.c
@@ -229,6 +229,16 @@ static int wps_workaround_cred_key(struct wps_credential *cred)
cred->key_len--;
#endif /* CONFIG_WPS_STRICT */
}
+
+
+ if (cred->auth_type & (WPS_AUTH_WPAPSK | WPS_AUTH_WPA2PSK) &&
+ (cred->key_len < 8 || has_ctrl_char(cred->key, cred->key_len))) {
+ wpa_printf(MSG_INFO, "WPS: Reject credential with invalid WPA/WPA2-Personal passphrase");
+ wpa_hexdump_ascii_key(MSG_INFO, "WPS: Network Key",
+ cred->key, cred->key_len);
+ return -1;
+ }
+
return 0;
}
--
1.9.1

View File

@ -0,0 +1,49 @@
From 73e4abb24a936014727924d8b0b2965edfc117dd Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Fri, 4 Mar 2016 18:46:41 +0200
Subject: [PATCH 2/5] Reject psk parameter set with invalid passphrase
character
WPA/WPA2-Personal passphrase is not allowed to include control
characters. Reject a passphrase configuration attempt if that passphrase
includes an invalid passphrase.
This fixes an issue where wpa_supplicant could have updated the
configuration file psk parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the passphrase value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject up to 63 characters of
almost arbitrary data into the configuration file. Such configuration
file could result in wpa_supplicant trying to load a library (e.g.,
opensc_engine_path, pkcs11_engine_path, pkcs11_module_path,
load_dynamic_eap) from user controlled location when starting again.
This would allow code from that library to be executed under the
wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
wpa_supplicant/config.c | 6 ++++++
1 file changed, 6 insertions(+)
--- wpa_supplicant/config.c
+++ wpa_supplicant/config.c
@@ -478,6 +478,12 @@ static int wpa_config_parse_psk(const struct parse_data *data,
}
wpa_hexdump_ascii_key(MSG_MSGDUMP, "PSK (ASCII passphrase)",
(u8 *) value, len);
+ if (has_ctrl_char((u8 *) value, len)) {
+ wpa_printf(MSG_ERROR,
+ "Line %d: Invalid passphrase character",
+ line);
+ return -1;
+ }
if (ssid->passphrase && os_strlen(ssid->passphrase) == len &&
os_memcmp(ssid->passphrase, value, len) == 0) {
/* No change to the previously configured value */
--
1.9.1

View File

@ -0,0 +1,76 @@
From 0fe5a234240a108b294a87174ad197f6b5cb38e9 Mon Sep 17 00:00:00 2001
From: Paul Stewart <pstew@google.com>
Date: Thu, 3 Mar 2016 15:40:19 -0800
Subject: [PATCH 3/5] Remove newlines from wpa_supplicant config network
output
Spurious newlines output while writing the config file can corrupt the
wpa_supplicant configuration. Avoid writing these for the network block
parameters. This is a generic filter that cover cases that may not have
been explicitly addressed with a more specific commit to avoid control
characters in the psk parameter.
Signed-off-by: Paul Stewart <pstew@google.com>
---
src/utils/common.c | 11 +++++++++++
src/utils/common.h | 1 +
wpa_supplicant/config.c | 15 +++++++++++++--
3 files changed, 25 insertions(+), 2 deletions(-)
--- src/utils/common.c
+++ src/utils/common.c
@@ -709,6 +709,17 @@ int has_ctrl_char(const u8 *data, size_t len)
}
+int has_newline(const char *str)
+{
+ while (*str) {
+ if (*str == '\n' || *str == '\r')
+ return 1;
+ str++;
+ }
+ return 0;
+}
+
+
size_t merge_byte_arrays(u8 *res, size_t res_len,
const u8 *src1, size_t src1_len,
const u8 *src2, size_t src2_len)
--- src/utils/common.h
+++ src/utils/common.h
@@ -489,6 +489,7 @@ const char * wpa_ssid_txt(const u8 *ssid, size_t ssid_len);
char * wpa_config_parse_string(const char *value, size_t *len);
int is_hex(const u8 *data, size_t len);
int has_ctrl_char(const u8 *data, size_t len);
+int has_newline(const char *str);
size_t merge_byte_arrays(u8 *res, size_t res_len,
const u8 *src1, size_t src1_len,
const u8 *src2, size_t src2_len);
--- wpa_supplicant/config.c
+++ wpa_supplicant/config.c
@@ -2699,8 +2699,19 @@ char * wpa_config_get(struct wpa_ssid *ssid, const char *var)
for (i = 0; i < NUM_SSID_FIELDS; i++) {
const struct parse_data *field = &ssid_fields[i];
- if (os_strcmp(var, field->name) == 0)
- return field->writer(field, ssid);
+ if (os_strcmp(var, field->name) == 0) {
+ char *ret = field->writer(field, ssid);
+
+ if (ret && has_newline(ret)) {
+ wpa_printf(MSG_ERROR,
+ "Found newline in value for %s; not returning it",
+ var);
+ os_free(ret);
+ ret = NULL;
+ }
+
+ return ret;
+ }
}
return NULL;
--
1.9.1

View File

@ -0,0 +1,60 @@
From b166cd84a77a6717be9600bf95378a0055d6f5a5 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 5 Apr 2016 23:33:10 +0300
Subject: [PATCH 4/5] Reject SET_CRED commands with newline characters in the
string values
Most of the cred block parameters are written as strings without
filtering and if there is an embedded newline character in the value,
unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file cred parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the credential value before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
wpa_supplicant/config.c | 9 ++++++++-
1 file changed, 8 insertions(+), 1 deletion(-)
--- wpa_supplicant/config.c
+++ wpa_supplicant/config.c
@@ -2896,6 +2896,8 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
if (os_strcmp(var, "password") == 0 &&
os_strncmp(value, "ext:", 4) == 0) {
+ if (has_newline(value))
+ return -1;
str_clear_free(cred->password);
cred->password = os_strdup(value);
cred->ext_password = 1;
@@ -2946,9 +2948,14 @@ int wpa_config_set_cred(struct wpa_cred *cred, const char *var,
}
val = wpa_config_parse_string(value, &len);
- if (val == NULL) {
+ if (val == NULL ||
+ (os_strcmp(var, "excluded_ssid") != 0 &&
+ os_strcmp(var, "roaming_consortium") != 0 &&
+ os_strcmp(var, "required_roaming_consortium") != 0 &&
+ has_newline(val))) {
wpa_printf(MSG_ERROR, "Line %d: invalid field '%s' string "
"value '%s'.", line, var, value);
+ os_free(val);
return -1;
}
--
1.9.1

View File

@ -0,0 +1,48 @@
From 2a3f56502b52375c3bf113cf92adfa99bad6b488 Mon Sep 17 00:00:00 2001
From: Jouni Malinen <jouni@qca.qualcomm.com>
Date: Tue, 5 Apr 2016 23:55:48 +0300
Subject: [PATCH 5/5] Reject SET commands with newline characters in the
string values
Many of the global configuration parameters are written as strings
without filtering and if there is an embedded newline character in the
value, unexpected configuration file data might be written.
This fixes an issue where wpa_supplicant could have updated the
configuration file global parameter with arbitrary data from the control
interface or D-Bus interface. While those interfaces are supposed to be
accessible only for trusted users/applications, it may be possible that
an untrusted user has access to a management software component that
does not validate the value of a parameter before passing it to
wpa_supplicant.
This could allow such an untrusted user to inject almost arbitrary data
into the configuration file. Such configuration file could result in
wpa_supplicant trying to load a library (e.g., opensc_engine_path,
pkcs11_engine_path, pkcs11_module_path, load_dynamic_eap) from user
controlled location when starting again. This would allow code from that
library to be executed under the wpa_supplicant process privileges.
Signed-off-by: Jouni Malinen <jouni@qca.qualcomm.com>
---
wpa_supplicant/config.c | 6 ++++++
1 file changed, 6 insertions(+)
--- wpa_supplicant/config.c
+++ wpa_supplicant/config.c
@@ -3764,6 +3764,12 @@ static int wpa_global_config_parse_str(const struct global_parse_data *data,
return -1;
}
+ if (has_newline(pos)) {
+ wpa_printf(MSG_ERROR, "Line %d: invalid %s value with newline",
+ line, data->name);
+ return -1;
+ }
+
tmp = os_strdup(pos);
if (tmp == NULL)
return -1;
--
1.9.1